Skip to content

October 16, 2019 #317

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
jednano opened this issue Oct 10, 2019 · 5 comments
Closed

October 16, 2019 #317

jednano opened this issue Oct 10, 2019 · 5 comments
Labels
meeting notes Topic requests and notes from meetings

Comments

@jednano
Copy link

jednano commented Oct 10, 2019
edited by buskamuza
Loading

Please add your topic as a comment to the issue. Use following format:
Topic description and link to PR, if any (duration in min)

Time: 10:30am CST/CDT

BlueJeans Meeting - https://bluejeans.com/7385677850

🎥 no recording available
@jednano
Copy link
Author

jednano commented Oct 10, 2019

Introduce Server-Side Rendering ~ 15 min.

@AlexMaxHorkun
Copy link
Contributor

Introduce stateless tokens #320 ~ 15 min

@buskamuza buskamuza added the meeting notes Topic requests and notes from meetings label Oct 16, 2019
@buskamuza
Copy link
Contributor

Deprecate result factories in favor of one generic magento/magento2#24711 - 5min

@paliarush
Copy link
Contributor

Server side rendering:

  • @AlexMaxHorkun: Q: How are we going to deploy it with monolithic application? A: It should be on separate server if possible
  • @ravmenon: Q: Looks like we are going back to high coupling. A: Yes, but it is done to achieve better performance

Stateless tokens:

  • @paliarush: Q: How are we going to validate expired tokens without call to DB? A: Redis may work, but need to be clarified. @AlexMaxHorkun will add more details to the proposal
  • @ravmenon: User data will have to be loaded from DB anyway
  • @ravmenon: Payload can be big, keep in mind cookie size limit
  • @paliarush: We are planning to implement similar mechanism on API Gateway level during service isolation. Please keep in mind backward compatibility and preserve graceful transition from old token format to a new one.
  • @joni-jones: It may be difficult for third-party to extend the payload. Left some comments regarding the implementation are in review

Result factories:

@ravmenon
Copy link
Contributor

Re stateless token: Generally I favor this approach.

Regarding the 'user data being loaded anyway', I was suggesting to use a value here (like sequence number or nonce-like value) when constructing the token as a mechanism for revocation strategy. During decoding of the token, this value can be compared against what is in db for that user, and if it is same, token is valid. You can revoke a token by directly updating this value for a user. It is just one-possibility if a revocation mechanism is needed.

Some pros and cons being mentioned here: https://phillbarber.blogspot.com/2014/02/client-side-vs-server-side-session.html (note: the article mentions using a public/private key pair, but it is not necessary for simpler setups).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
meeting notes Topic requests and notes from meetings
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@jednano @buskamuza @AlexMaxHorkun @paliarush @ravmenon